715097 - Crash in mozilla::image::RasterImage::Discard @ _cairo_user_data_array_fini

Status: RESOLVED INCOMPLETE

(Core :: Graphics: ImageLib, defect)

Description

[Vivien Nicolas (:vingtetun) (:21) - (NOT reading bugmails, needinfo? please)]

Program received signal SIGSEGV, Segmentation fault.
_cairo_user_data_array_fini (array=0x7fffd42e9428) at /home/vivien/Devel/mozilla/b2g/desktop/src/gfx/cairo/cairo/src/cairo-array.c:389
389		    if (slots->user_data != NULL && slots->destroy != NULL)
Current language:  auto
The current source language is "auto; currently c".
(gdb) backtrace 
#0  _cairo_user_data_array_fini (array=0x7fffd42e9428) at /home/vivien/Devel/mozilla/b2g/desktop/src/gfx/cairo/cairo/src/cairo-array.c:389
#1  0x00007ffff4863685 in *INT__moz_cairo_surface_destroy (surface=0x7fffd42e9400)
    at /home/vivien/Devel/mozilla/b2g/desktop/src/gfx/cairo/cairo/src/cairo-surface.c:654
#2  0x00007ffff47d5e0f in gfxASurface::Release (this=0x7fffd40ca4c0) at /home/vivien/Devel/mozilla/b2g/desktop/src/gfx/thebes/gfxASurface.cpp:125
#3  0x00007ffff3e6646c in ~nsRefPtr (this=0x7fffd42e19b0, __in_chrg=<value optimized out>) at ../../dist/include/nsAutoPtr.h:907
#4  ~imgFrame (this=0x7fffd42e19b0, __in_chrg=<value optimized out>) at /home/vivien/Devel/mozilla/b2g/desktop/src/image/src/imgFrame.cpp:168
#5  0x00007ffff3e63120 in mozilla::imagelib::RasterImage::Discard (this=0x7fffdb353f10, force=false)
    at /home/vivien/Devel/mozilla/b2g/desktop/src/image/src/RasterImage.cpp:2165
#6  0x00007ffff3e5f40a in mozilla::imagelib::DiscardTracker::TimerCallback (aTimer=<value optimized out>, aClosure=<value optimized out>)
    at /home/vivien/Devel/mozilla/b2g/desktop/src/image/src/DiscardTracker.cpp:270
#7  0x00007ffff47a0789 in nsTimerImpl::Fire (this=0x7fffd3a31060) at /home/vivien/Devel/mozilla/b2g/desktop/src/xpcom/threads/nsTimerImpl.cpp:428
#8  0x00007ffff47a0851 in nsTimerEvent::Run (this=<value optimized out>) at /home/vivien/Devel/mozilla/b2g/desktop/src/xpcom/threads/nsTimerImpl.cpp:524
#9  0x00007ffff479dd6e in nsThread::ProcessNextEvent (this=0x7fffe882a060, mayWait=false, result=0x7fffffffb79f)
    at /home/vivien/Devel/mozilla/b2g/desktop/src/xpcom/threads/nsThread.cpp:660
#10 0x00007ffff47708a2 in NS_ProcessNextEvent_P (thread=<value optimized out>, mayWait=72)
    at /home/vivien/Devel/mozilla/b2g/desktop/build/xpcom/build/nsThreadUtils.cpp:245
#11 0x00007ffff4706b2a in mozilla::ipc::MessagePump::Run (this=0x7ffff6dda400, aDelegate=0x7ffff6ddb240)
    at /home/vivien/Devel/mozilla/b2g/desktop/src/ipc/glue/MessagePump.cpp:110
#12 0x00007ffff47bcf9e in MessageLoop::RunHandler (this=0x7fffd42e9428)
    at /home/vivien/Devel/mozilla/b2g/desktop/src/ipc/chromium/src/base/message_loop.cc:201
#13 MessageLoop::Run (this=0x7fffd42e9428) at /home/vivien/Devel/mozilla/b2g/desktop/src/ipc/chromium/src/base/message_loop.cc:175
#14 0x00007ffff465e2ad in nsBaseAppShell::Run (this=0x7fffe744f240) at /home/vivien/Devel/mozilla/b2g/desktop/src/widget/src/xpwidgets/nsBaseAppShell.cpp:189
#15 0x00007ffff4530fc6 in nsAppStartup::Run (this=0x7fffe7474dd0)
    at /home/vivien/Devel/mozilla/b2g/desktop/src/toolkit/components/startup/nsAppStartup.cpp:220
#16 0x00007ffff3d4a2d6 in XRE_main (argc=<value optimized out>, argv=<value optimized out>, aAppData=<value optimized out>)
    at /home/vivien/Devel/mozilla/b2g/desktop/src/toolkit/xre/nsAppRunner.cpp:3523
#17 0x00000000004020ae in do_main (argc=2, argv=0x7fffffffe238) at /home/vivien/Devel/mozilla/b2g/desktop/src/b2g/app/nsBrowserApp.cpp:201
#18 main (argc=2, argv=0x7fffffffe238) at /home/vivien/Devel/mozilla/b2g/desktop/src/b2g/app/nsBrowserApp.cpp:287

Comment 1

[Vivien Nicolas (:vingtetun) (:21) - (NOT reading bugmails, needinfo? please)]

The condition to reproduce are very specific. I'm running a Firefox Nightly with the server part of https://github.com/vingtetun/remote-web-console and a linux b2g-build with the client side of https://github.com/vingtetun/remote-web-console.

The bug happens on the b2g build when a large chunk of data is sent through nsIFrameMessageManager.sendAsyncMessage from a content script.
There is only one process in the b2g build, nothing else.

Comment 2

[Chris Jones [:cjones] inactive; ni?/f?/r? if you need me]

This bug looks vaguely familiar but last time I saw it was during deeply-nested reflows.

The STR are pretty complicated, but just for starters, were you using the Jan-03 nightly?

Comment 3

[Brent Garber]

https://crash-stats.mozilla.com/report/index/bp-c6b60bbe-2e87-422f-8a48-8d15e2120208
https://crash-stats.mozilla.com/report/index/bp-f627c241-468d-4cef-8cbb-74e252120208
https://crash-stats.mozilla.com/report/index/bp-fbaf3616-81d6-448f-94aa-94e942120208

After trying to restore my tabs after a crash, I often get this crash immediately upon restart

Comment 4

[Scoobidiver (away)]

It's #9 top browser crasher in 11.0 on Linux.

More reports at:
https://crash-stats.mozilla.com/report/list?signature=_cairo_user_data_array_fini

Comment 6

[Wayne Mery (:wsmwk)]

Vivien, can you still reproduce this?

On crash-stats, crashes from recent versions is almost zero, and none of them are linux

Comment 7

[u279076]

There is only 1 report recently on Linux and it was with Firefox 11. There are several crashes with current versions but those are all on Windows which I suspect could be a different issue. As such I am closing this bug report. Please reopen it if you can reproduce the crash on Linux with a current version.